From: Velvet Pixel <velvetpixel@gmail.com>
To: Ukeme Noah <ukeme.noah@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: iptables help please
Date: Fri, 11 Jul 2008 23:58:12 -0700 [thread overview]
Message-ID: <0c82ecfe1685aebedfa4236ba40d9293@gmail.com> (raw)
In-Reply-To: <487833cf.0405be0a.0354.106d@mx.google.com>
Hi Ukeme,
Thanks for your help.
Turns out it was a log packet rule that I had for OUTPUT and FORWARD
that for some reason were not logging before the upgrade and were
definitely logging after the upgrade! I removed the log rules and my
log files are back to normal.
I have all SSH traffic allowed only to my home office static IP. Is
that not safe?
That packet log you saw happened to be traffic from me :)
Is PKI Auth better because no password is being broadcast?
Thanks!
Cameron Smith
On Jul 11, 2008, at 9:32 PM, Ukeme Noah wrote:
> Howdy,
>
> From my understanding, a message like "RES=0X00 ACK SYN URGP=0" would
> indicate a reply to a syn packet. Considering the source port is 22, I
> would
> suspect unauthorized access attempts on your server. On that note, I'd
> strongly advise, [if you've not already done so] that you use the PKI
> authentication mechanism and configure the SSH server to close any
> connection attempt to your server that fails to use this mechanism.
>
> Warm Regards
> Ukeme Noah
>
> -----Original Message-----
> From: netfilter-owner@vger.kernel.org
> [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Velvet Pixel
> Sent: Friday, July 11, 2008 7:17 PM
> To: netfilter@vger.kernel.org
> Subject: iptables help please
>
> Since upgrading my install from CentOS 5.1 to 5.2 and I am getting lots
> of errors in messages that look like they are iptables related.
>
> If anybody could help comment on my iptables rules to let me know if I
> have them set up incorrectly I would appreciate it :)
>
> This is on an OpenVZ VPS at a remote data center and not a box on my
> lan.
>
> Run chain banished Always
> Accept If input interface is lo
> Accept If protocol is TCP and TCP flags ACK (of ACK) are set
> Accept If state of connection is ESTABLISHED
> Accept If state of connection is RELATED
> Accept If protocol is TCP and source port is 53
> Accept If protocol is UDP and source port is 53
> Accept If protocol is ICMP and ICMP type is echo-reply
> Accept If protocol is ICMP and ICMP type is destination-unreachable
> Accept If protocol is ICMP and ICMP type is source-quench
> Accept If protocol is ICMP and ICMP type is time-exceeded
> Accept If protocol is ICMP and ICMP type is parameter-problem
> Accept If protocol is ICMP and ICMP type is echo-request
> Drop If protocol is TCP and destination port is ftp
> Accept If protocol is TCP and source is xx.xx.xx.xx and destination
> port is ssh
> Drop If protocol is TCP and destination port is ssh
> Accept If protocol is TCP and destination port is 25
> Accept If protocol is TCP and destination port is 80
> Accept If protocol is TCP and source is xx.xx.xx.xx and destination
> port is 110
> Drop If protocol is TCP and destination port is 110
> Accept If protocol is TCP and destination port is 113
> Accept If protocol is TCP and source is xx.xx.xx.xx and destination
> port is 143
> Drop If protocol is TCP and destination port is 143
> Accept If protocol is TCP and destination port is 443
> Drop If protocol is TCP and destination port is 465
> Accept If protocol is TCP and source is xx.xx.xx.xx and destination
> port is 10000:10010
> Drop If protocol is TCP and destination port is 10000:10010
> Accept If protocol is TCP and source is xx.xx.xx.xx and destination
> port is 20000
> Drop If protocol is TCP and destination port is 20000
> Accept If source is 127.0.0.1
> Accept If input interface is venet0
>
> The xx.xx.xx.xx is my static IP for my home office.
> The chain banished is IPs of crackers that were repeatedly trying to
> get in my system and their source IPs are set to deny.
>
>
> The type of error I am seeing is:
> Jul 10 16:42:12 vps kernel: IN= OUT=venet0 SRC=IP.IP.IP.IP
> DST=zz.zz.zz.zz LEN=1452 TOS=0x08 PREC=0x00 TTL=64 ID=4361 DF PROTO=TCP
> SPT=22 DPT=63628 WINDOW=644 RES=0x00 ACK URGP=0
>
> zz.zz.zz.zz=any ip accessing the server
> IP.IP.IP.IP=IP of the server
>
> My messages file is usually 44B and now in one day it is over 60MB!!!
> with thousands of those messages being logged so I need help :)
>
> Thanks,
> Cameron
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
prev parent reply other threads:[~2008-07-12 6:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-11 23:16 iptables help please Velvet Pixel
2008-07-12 4:32 ` Ukeme Noah
2008-07-12 6:58 ` Velvet Pixel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0c82ecfe1685aebedfa4236ba40d9293@gmail.com \
--to=velvetpixel@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=ukeme.noah@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox